SOA Security

<Iris Levari>
<OWASP role>
<Amdocs>
<irisl@amdocs.com>
OWASP
<12/3/07>

Copyright The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
Agneda

What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard

OWASP 2
Agneda

What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard

OWASP 3
SOA Example

OWASP 4
SOA Key Terms

OWASP 5
SOA - Service Oriented Architecture

Business processes oriented architecture

Decomposing business processes into discreet
functional units = services
Existing or new business functionalities are
grouped into atomic business services
Evolution of distributed computing and modular
programming driven by newly emergent business
requirements
Application development focused on
implementing business logic

OWASP 6
Service Properties

Service is
Loosely coupled
High-level granularity
Self describing
Hardware or software platform interoperability
Discoverable
Service can be composed of other services
Context-independent

OWASP 7
Service Oriented Architecture - Advantages
& Disadvantages

Advantages
Maximize reuse
Reduce integration cost
Flexible & easily changed to reflect business process
change
Shortcomings
Message handling and parsing
Legacy application services wrapping
Complex service design and implementation

OWASP 8
SOA Example

OWASP 9
Agneda

What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard

OWASP 10
Business-Driven Development Methodology

OWASP 11
Security Encompasses all life cycle aspects

OWASP 12
Agneda

What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard

OWASP 13
New Security Threats

SOA Introduces the following new security

threats:
Services to be consumed by entities outside of the
local trust domain
Confidential data passes the domains trust boundaries
Authentication and authorization data is
communicated to external trust domains
Security must be enforced across the trust domain
Managing user and service identities

OWASP 14
Security Considerations

The propagation of users and services across domain

trust boundaries
The need to seamlessly connect to other organizations on
a real-time transactional basis
Security controls for each service and service
combinations
Managing identity and security across a range of systems
and services with a mix of new and old technologies
Protecting business data in transit and at rest
Compliance with corporate industry & regulatory
standards
Composite services
OWASP 15
New Techniques In Integration Security

SOA introduces new techniques In integration

security
Message level security vs. transport level security
Converting security enforcement into a service
Declarative & policy-based security

OWASP 16
Message Level Security vs. Transport Level Security

Transport level security (SSL/VPN)

Point-to-point message exchange
Encrypts the entire message
Sender must trust all intermediaries
Restricts protocols that can be used (i.e. https)
Message level security
End-to-end security
Different message fields within the same message
should be read by different entities

OWASP 17
Transport Layer Security

OWASP 18
Security in the Message
HTTP security (SSL) is point-to-point

Security Security
Context Context
| |
| |
| |
Sender Intermediary Receiver
Receiver

WS-Security provides context over multiple end points.

Security Context

Sender Intermediary Receiver

Receiver

OWASP 19
Transport Security For Web Services Pros
and Cons

Pros Cons
Mature: SSL/VPN Point to point: messages are
in the clear after reaching
SSL endpoint
Supported by most servers Waypoint visibility: cant
and clients have partial visibility into the
message parts
Understood by most system Granularity
administrators

Simpler Transport dependant: applies

only to HTTP
OWASP 20
Message Security For Web Services
Pros And Cons

Pros Cons
Persistent message self- Encompasses many other
protecting standards including XML
encryption, XML signature,
X.509 certificates and more

Portions of the message can

be secured to different parties

Different security policies can

be applied to request and
respond transport
OWASP 21
Message Level Security (example)

integration of a brokerage and a bank. An investor

securely attaches authorization to withdraw funds from a
bank account to the trading request submitted to the
brokerage. The attached authorization is secured from
everyone, including the brokerage. Only the bank read it
and make use of it.

OWASP 23
Converting Security into a Service

Security services provide service such as:

Authentication
Authorization
Message services
Encryption decryption
Signing
Verification
Signatures
Log messages scrub messages
Facilitates integration
Reduces development cost
OWASP 24
SOA Security Reference Model

OWASP 25
Agneda

What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard

OWASP 26
Traditional SSO

Security is hard coded into each application

User credentials are transmitted across enterprise boundaries
OWASP 27
SOA SSO Federation

OWASP 28
SOA SSO Federation Cont

Traditional limited implementation using 3rd party

SSO solutions
No easy integration with applications that have not
been written by the same 3rd party SSO manufacturer
SOA solution
Managing security interaction between applications
Clients and servers dynamically negotiate security
policies
Easy implementation

OWASP 29
Agneda

What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard

OWASP 30
WS-security Standard

SOAP security (securing the web service

messages)
SOAP header extension
Standard Feb. 2007 Ver 1.1 (OASIS)
Any combination of In Request/Response
Authentication
Encryption
Digital Signature

OWASP 31
Web Services Stack

OWASP 32
Web Services Security Architecture

OWASP 33
WS Security Building Blocks

Security Tokens
Username Token
Username Token with Password Digest
Binary Security Token
X.509 Version 3 certificates
Kerberos tickets
Signatures signs all or part of the soap body
Reference List or Encrypted Key

OWASP 34
Structure of a Basic Web Services Security
SOAP Header

OWASP 35
Structure of a Basic Web Services Security
SOAP Header (cont.)

OWASP 36
XML Encryption in WS-Security

Use of a <ReferenceList> in the

Security Header Pointing to the
Parts of the Message Encrypted with
XML Encryption

OWASP 37
Providing Integrity
XML Signature in Web Services Security

XML Signature
Verify a security token or SAML assertion
Message integrity
XML syntax
Explicit <reference> element points to what is being
signed
One or more XML signatures
Overlapping is possible

OWASP 40